Imgur: SSRF and local file read in video to gif converter

Video to gif converter on http://imgur.com/vidgif uses Lavf/55.48.100 with network options enabled. It makes possible SSRF by uploading specially crafted playlist. For example we can use mp4 file http://yngwie.ru/1.mp4 EXTM3U EXT-X-MEDIA-SEQUENCE:0 EXTINF:10.0, http://yngwie.ru/2.mp4 EXT-X-ENDLIS...

Internet Bug Bounty: OpenSSL vulnerable to the Marvin Attack (CVE-2022-4304)

A timing side channel vulnerability in OpenSSL RSA decryption was discovered that could allow plaintext recovery. By measuring decryption time, an attacker could recover RSA plaintext from captured ciphertexts after a large number of decryption attempts. All RSA padding modes were affected. The...

Shopify: Subdomain Takeover in http://genghis-cdn.shopify.io/ pointing to Fastly

Hi, I've found a Shopifu cdn domain here which had an instance of fastly setup but did not remove the dns record when the service was cancelled. a subdomain takeover similar to that of https://hackerone.com/reports/32825 could be possible. Vulnerable URL: http://genghis-cdn.shopify.io Page...

InnoGames: Information disclosure via ".htaccess" at https://login.innogames.de

Hi team , i found insecure file Name: htaccess Normally, only the web server is allowed to read the .htaccess file, but in this case, it appears that there is a misconfiguration that is causing the contents of the .htaccess located at https://login.innogames.de/.htaccess to download file and read...

HackerOne: CSRF possible when SOP Bypass/UXSS is available

Description If an attacker could extract content from https://hackerone.com, they could perform CSRF attacks due to the fact that: 1. Some pages prints the token in the HTML response edit user form at https://hackerone.com/settings/profile/edit 2. Tokens aren't bound per action 3. PATCH/DELETE ca...

h1-ctf: 12 Days of CTF Walkthroughs

h1-ctf: 12 Days of Hacky Holidays This is my writeup for 12 Days of Hacky Holidays. The report is written such that beginners to CTFs will be able to learn the tricks of the trade. The Mission: The Grinch has gone hi-tech this year with the intention of ruining the holidays 😱We need you to...

Mail.ru: BRUTE FORCE ATTACK

Hi I've found that the user is allowed to perform brute force in https://m.my.mail.ru/cgi-bin/login https://babel.mail.ru/login/ , I've tried to input wrong password 30 times , then input my correct password in my 31st attempt and it is successfully login, a malicious minded user can always...

U.S. Dept Of Defense: Unauthenticated Arbitrary File Deletion "CVE-2020-3187" in █████

Summary: A vulnerability in the interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files. Description:...

Mail.ru: mailgun subdomain takeover on "email.mail.geekbrains.ru"

Unused email.mail.geekbrains.ru domain was delegated to Mailgun and was not claimed, allowing to use it Mailgun service...

8x8 Bounty: Open TURN relay abuse is possible due to lack of peer access control (Critical)

NOTE: This is not an SSRF vulnerability but an open TURN relay vulnerability. Typically, this security vulnerability has at least the same impact as an SSRF. However it is considered more useful from an attacker's point of view since attacks are not restricted to HTTP. - Affects: - █████:443 -...

Snapchat: Subdomain takeover on http://fastly.sc-cdn.net/

Hey team, I've found a snapchat cdn domain here which had a test instance of fastly setup but did not remove the dns record when the service was cancelled. This allowed me to create a Fastly instance to take it over. I've confirmed this is a snapchat property via Censys...

curl: Hackers Attack Curl Vulnerability Accessing Sensitive Information

Summary: A critical security flaw in Curl. This is a data transfer tool and may potentially allow attackers to access sensitive information. Affected version 6.5 through 8.11.0 Steps To Reproduce: Security vulnerability when curl is used with a .netrc file for the credentials and also uses a HTTP...

Open-Xchange: Multiple buffer over reads in mbox_from_parse

Vulnerabilities were found fuzzing mboxfromparse Different inputs reproducing the behavior are 0xe7,0xdf,0x1,0x0,0x30,0x3f,0x20,0x32,0x20,0x30,0x3a,0x32,0x39,0x20,0x3f,0x3f,0x3f,0x20,0x34,0x39,0x30,0x34,0xdb,0x32,0x32,0x3a,0x32,0x36,...

Sifchain: Information Disclosure on https://rpc.sifchain.finance/

Description: Hi team, I see the subdomain https://rpc.sifchain.finance/ . And I visited this subdomain it contains many endpoints. Affected URLs: https://rpc.sifchain.finance/ Poc Available endpoints: Endpoints that require arguments: //rpc.sifchain.finance/abciinfo?...

Omise: SSRF in webhooks leads to AWS private keys disclosure

Vulnerability Summary Omise makes use of Amazon AWS as their application environment. Due to a vulnerability in the way webhooks are implemented, an attacker can make arbitrary HTTP/HTTPS requests from the application server and read their responses. This is known as a server-side request forgery...

Nintendo: [Xenoblade Chronicles X: Definitive Edition] Unrestricted RPCs allow DoS and writing arbitrary flags remotely

The Xenoblade Chronicles X: Definitive Edition vulnerability allowed attackers to perform Denial-of-Service DoS attacks and write arbitrary flags remotely due to unrestricted Remote Procedure Calls RPCs...

Internet Bug Bounty: DOMPurify bypass

A mutation based bypass exists in DOMPurify when sanitizing svg elements using almost the same technique described by Michał Bentkowski @SecurityMB at https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/. A PoC payload with the DOM state before and after parsin...

U.S. Dept Of Defense: PHP info page disclosure

Summary: phpinfo is a debug functionality that prints out detailed information on both the system and the PHP configuration. Step-by-step Reproduction Instructions 1.Go to https://███████phpinfo Impact An attacker can obtain information such as: •Exact PHP version. •Exact OS and its version...

Mars: debug.log leaked [█████████]

The report identified a security vulnerability in the visitor management system that exposed a debug log file containing personally identifiable information. The log file was publicly accessible without authentication, allowing unauthorized access to sensitive user data. The vulnerability was...

X (Formerly Twitter): Discoverability by phone number/email restriction bypass

Summary: By using this vulnerability an attacker can find a twitter account by it's phone number/email even if the user has prohibited this in the privacy options. Description: The vulnerability allows any party without any authentication to obtain a twitter IDwhich is almost equal to getting the...

GSA Bounty: SSRF in Search.gov via ?url= parameter

Summary: https://search.usa.gov/helpdocs endpoint is vulnerable to SSRF via url parameter. The parameter is protected but can be bypassed using LF %0A. Steps To Reproduce: 1. Login to Search.gov and click help manual. 2. The following request was vulnerable. - Request GET...

TomTom: Apache mod_status /server-status Information Disclosure

Description It is possible to obtain an overview of the remote Apache web server's activity and performance by requesting the URL '/server-status'. This overview includes information such as current hosts and requests being processed, the number of workers idle and service requests, and CPU...

Hanno's projects: SSRF in rompager-check

Summary The script rompager.php does not restrict which hosts can be requested. Thereby, an attacker can send HTTP requests to localhost and other servers of the same local network segment, on port 80 and 7547. Description In rompager.php, the value of CURLOPTURL is fully controlled: php Port...

Brave Software: Null Pointer Dereference by Crafted Response from AI Model

The Brave browser was affected by a null pointer dereference vulnerability caused by a crafted response from an AI model. The vulnerability was triggered when the user set a malicious endpoint as the AI model's server endpoint. The code handling the server response assumed a specific structure...

U.S. Dept Of Defense: Log4Shell: RCE 0-day exploit on █████████

Hi team, log4 shell is recent 0-day exploit it's Java package vulnerable. ██████████ domain is vulnerable Impact RCE System Hosts █████████ Affected Products and Versions CVE Numbers CVE-2021-44228 Steps to Reproduce 1. Go to this url =...

Reddit: Email Verification Bypass And Get access to user's private invitation.

Part 2 of my previous report : https://hackerone.com/reports/1225499 I am sending this report again because you closed my previous report. i posed new impact of this vulnerability in my previous report but i didn't get any reply. So i reported it again. First Vulnerability : Email verification...

AWS VDP: Non-Production API Endpoints for the Route 53 Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration

The non-production API endpoints for the Route 53 service failed to log to CloudTrail, resulting in silent permission enumeration. Two non-production endpoints were found that could be used with standard IAM credentials without logging to CloudTrail. This allowed an adversary to perform permissio...

U.S. Dept Of Defense: Install.php File Exposure on Drupal

The install.php file on Drupal 8 or higher was left accessible after installation, potentially allowing attackers to reinstall the website and cause data loss or other issues. Additionally, an error message displayed on the website could be used to escalate privilege and access sensitive...

Nord Security: No Rate Limit On Forgot Password Page Of affiliates.nordvpn.com

Introduction:- A little bit about Rate Limit: A rate limiting algorithm is used to check if the user session or IP-address has to be limited based on the information in the session cache. In case a client made too many requests within a given time frame, HTTP-Servers can respond with status code...

Kubernetes: Username enumeration via Openssh 7.6

Username enumeration I have found a vulnerability in your site that allows me to verify if an user exits in the ssh due to the use of OpenSSH 7.6p1. PoC 1 Download and compile the given exploit file 2 open a terminal and run the exploit I have attached a Screenshot if detailed PoC is needed pleas...

Engel & Völkers Technology GmbH: CVE-2019-11248 on alertmanager.ev-cloud-platform.engelvoelkers.com

Summary: The debugging endpoint /debug/pprof is exposed over the unauthenticated Kubelet healthz port. Versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10 are affected. The issue is of medium severity, but not exposed by the default configuration. Steps To Reproduce: Navigate to the following...

Shopify: Account takeover intercepting magic link for Arrive app

Summary The "magic link" used for login by Arrive app uses Branch.io to pass the login token via deeplink to the app. But the URL contained in the link app.link domain is not verified so it can be intercepted by a malicious app at takeover the account. Description When trying to login with Arrive...

Sucuri: Administrator Access to grafana instance logstash2.sucuri.net with default credentials

Hi Team, While doing some recon on the subdomains of sucuri.net I came across logstash2.sucuri.net which is running a grafana instance on port 3000. It appears that the instance has had the /public directory deleted or is unavailable as there are a few 404 errors which make the page unusable...

curl: bypass of this Fixed #2437131 [ Inadequate Protocol Restriction Enforcement in curl ]

Summary: A flaw has been identified in the curl command-line tool related to its protocol selection mechanism. Specifically, the protocol restrictions set by the --proto option can be bypassed, allowing unintended protocols to be used despite explicit restrictions. This flaw can result in plainte...

Cloudflare: SSRF

Hi i make report grabtaxi for SSRF But grabtaxi answer me coffeecup closed the report and changed the status to Not Applicable. Jul 26th 2 hrs ago Hello @linkks - After further review, we have determined that this is not SSRF on any of our web properties or assets. All IP's mentioned in this repo...

BugPoC: [BugPOC and Amazon XSS CTF writeup] A CSP Bypass Story

Summary/Description: There were quite multiple restrictions imposed while executing JavaScript on the website. I have divided them into three segments which are explained below Bypassing the iframe loading restriction The URL https://wacky.buggywebsite.com/frame.html?param=Hello,%20World when...

IBM: POST based Cross-Site Scripting on IBM research endpoint

The POST-based Cross-Site Scripting vulnerability on the IBM research endpoint was reported, analyzed, and remediated. The vulnerability was discovered by an external researcher...

HackerOne: Subdomain takeover of resources.hackerone.com

Hello, I just went to https://resources.hackerone.com/ and it shows an error "Non-hub domain, The URL you've accessed does not provide a hub. Please check the URL and try again." also i've checked the CNAME is poiting to read.uberflip.com which means if it is not added it can be added to any...

Logitech: SSRF allows reading AWS EC2 metadata using "readapi" variable in Streamlabs Cloudbot

Detailed summary is provided by the hacker below. Summary: Streamlabs Cloudbot is a customisable chatbot provided by Streamlabs which allows the creation of custom commands along with custom responses. These chat responses can take in "Variables" wrapped in curly brackets as documented in...

HackerOne: @wearehackerone.com is vulnerable to namespace attacks due to hackerone.com not being RFC2142 compliant.

Hola amigos, First off, I know RFCs are annoying. Second of all, namespace attacks are a btch. With that out of the way, here is an Inti-bug that was discovered as a result of reading RFC2142 very carefully. Brief summary of RFC2142 RFC2142 defines a standard set of email addresses that cover...

curl: CVE-2025-4947: QUIC certificate check skip with wolfSSL

Summary: When using WolfSSL as the TLS backend, there is an issue where the CN or SAN in the certificate is not verified when connecting to an IP address over HTTP/3. wolfSSLX509checkhost is only called when peer-sni is not NULL. However, when an IP address is specified, peer-sni is NULL, so the...

Pornhub: Deserialization of untrusted data at https://www.redtube.com/media/hls?s=data

The researcher was able to exploit a PHP Object Injection vulnerability which allowed him to execute remote commands on the server...

DRIVE.NET, Inc.: [www.drive2.ru] CSRF through FCTX token bypass

During login on the login page, login is attempted through the FCTX token. In addition, the login page was implemented through g-recaptcha-response captcha, but an attacker can bypass g-recaptcha-response captcha without FCTX tokens, and login CSRF is possible. The issue was fixed by enabling the...

Fastly VDP: Unauthenticated cache purging

An unauthenticated cache purging vulnerability was found in the website of Fanout.io, allowing unauthenticated users to purge the cache of the website. This could potentially lead to various types of attacks such as website defacement, unauthorized access to sensitive data, or denial of service D...

curl: CVE-2025-5025: No QUIC certificate pinning with wolfSSL

Summary: When using wolfSSL as the TLS backend, certificate pinning does not work when using HTTP/3. The code should invoke wsslverifypinned, but it has not been implemented. Affected version curl -V WARNING: this libcurl is Debug-enabled, do not use in production curl 8.13.0 x8664-pc-linux-gnu...

U.S. Dept Of Defense: Remote Code Execution - Unauthenticated Remote Command Injection (via Microsoft SharePoint CVE-2019-0604)

Summary: Microsoft recently released a patch for CVE-2019-0604. This vulnerability is caused by the Microsoft SharePoint application deserializing untrusted data from a user. This means an attacker can send a specially crafted/encoded parameter to a Microsoft SharePoint URL, and it will allow...

Radancy: Microsoft IIS tilde directory enumeration

Request OPTIONS //1/a.aspx?aspxerrorpath=/ HTTP/1.1 Host: exactrd.maximum.nl Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 Windows NT 10.0; WOW64 AppleWebKit/537.36 KHTML, like Gecko Chrome/50.0.2661.94 Safari/537.36 Accept: / Response HTTP/1.1 404 Not Found...

Autodesk: HTML Injection in Business Name Parameter in Payapps

A HTML injection vulnerability was found in Autodesk Payapps, where arbitrary HTML content could have been injected in emails sent to users on signup. The vulnerability was reported by @0xsom3a and has been fixed by Autodesk...

Internet Bug Bounty: Drupal 7 pre auth sql injection and remote code execution

Motivation I found a SQL Injection bug in Drupal $value ... $newkeys$key . '' . $i = $value; The function assumes that it is called with an array which has no keys. Example: dbquery"SELECT FROM users where name IN :name", array':name'=array'user1','user2'; Which results in this SQL Statement SELE...

U.S. Dept Of Defense: Read-only path traversal (CVE-2020-3452) at https://█████

Summary: I discovered a vulnerability Read-only path traversal CVE-2020-3452 at https://███████ Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance ASA Software and Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote...